Skip to main content
Skip table of contents

Employee Self Service MFA


What is happening and why?

Employee Self Service Multi-Factor Authentication (MFA or 2FA) is being rolled out for all online customers to ensure adherence to the Australian Taxation Office (ATO) guidelines for accessing data. See Upcoming MFA changes for ESS for more information.

All employees will be required to add another factor of authentication to complement the password they use to login to Employee Self Service.

What do you need to do?

The PayGlobal Online team will enable MFA for you. But there are some key steps you can do to make sure this runs smoothly.

  • Notify employee of this change to logging into Employee Self Service and also that they will receive an email once it has been enabled (see sample emails below).

  • Let your IT team know this is happening and ask them to whitelist @mail.myobpayglobal.com to ensure employees receive the various communications and emails.

See here for template emails you can use to notify employees, along with samples of emails employees will receive during this process.

How-to guides

The help guides below can be used by the various groups. E.g. Employees, Managers, Payroll team, for instructions with due processes. The development team has enabled Managers with access to reset MFA to expedite the process and reduce interruptions to the Payroll team. However, the Payroll or HR teams can also perform this task from PayGlobal.

For Employees: Employee Manual

This guide shows the steps for employees to login including registering an MFA device from point 4.
Note, they can select to use an Authentication App or be emailed a code.

For Managers: Manager Manual

This link to product help outlines the steps to:

  • view enrolled employees.

  • manually send reminder emails.

  • reset employee MFA registration. Note: the employee will be prompted to setup MFA again at next login.

For Payroll Team: PayGlobal Help

This guide outlines the fields available in PayGlobal and shows how to reset an existing MFA registration so that the employee is prompted to setup MFA again at next login.

MFA Admin Role:

An MFA Admin role was added to ESS version 5.6.1.0. This admin role can be be assigned by PayGlobal administrators to individuals or groups and will allow them to reset MFA for employees.
Following guide explains how to assign Admin Roles.

ESS - Assigning Admin Roles to an employee

Manager Delegation Roles:

You must explicitly setup access for a manager’s delegate to access and manage Employee MFA Setup menu. The following instructions explain how to do this.

Adding MFA to Delegation Roles

FAQ / common problems


Problem 1: Employee receives error that authentication code is invalid.
Answer 1: Check the phone time is synchronised to mobile phone provider network. If the time is out by as little as 1 min or less, the authentication code may not work.
Answer 2: It is possible the employee gained initial access by scanning the QR code with their phone’s camera, instead of an authentication app. In this scenario, their MFA registration will need to be reset by the payroll team or manager.

Question 1: What happens if the person replaces their phone or loses it?
Answer: MFA can be reset by Manager, Payroll Team or MFA Admin (see linked guides above).
The employee will be prompted to setup MFA again when they next login.

Question 2: What happens if the person forgets their authentication device?
Answer: If ESS access is urgent for the employee, MFA can be reset by Manager, Payroll Team or MFA Admin. The employee will be prompted to setup MFA again when they next login.
However, if the employee doesn’t have access to another phone or email (Work Email field in PayGlobal), they will not be able to setup MFA and will need to retrieve their phone. If that is the case, then MFA should not be reset.
If the employee has access to another phone or email to login without original phone, they will need to use this same email or phone MFA each time. If they want to revert back to the original device, they will need MFA reset again.

Question 3: Can we use SSO instead of MFA?
Answer: Yes you can, the following document explains what is required - SSO manual.
Please discuss with your IT team in the first instance. Then contact PayGlobal Support to update ESS with the SSO configuration provided by your IT Team, or to engage a consultant to assist.

Question 4: Can SSO and MFA be used at the same time?
Answer: No, you cannot use SSO and MFA together. MFA will not be enabled for customers that are currently using SSO to sign into ESS.

Question 5: Employee has not received an email reminder, nor a code when option is selected.
Answer: Check the employee record has a Work Email address populated and that it is correct. Also ask the employee to check the Junk folder for the emails.

Question 6: What happens to our test sites?
Answer: MFA is enabled for Test sites also. After Test has been refreshed with a copy of the Live data, the same MFA registration will apply and the same code can be used to authenticate as Live.

Question 7: What happens to NZ & Fijian databases? What happens if I have AU and NZ databases?
Answer: Only AU databases are being enabled. Let us know if you have other databases you would like to enable MFA for along with the start date.

Question 8: Can SMS Text be used as a 2nd factor of authentication?
Answer: SMS Text is not available. The options available are 1) the Authentication App or 2) One-Time Password (OTP) via email.

Question 9: What reminders do employees receive to set up the system?
Answer: A scheduled task runs every day but will only send emails if the following criteria are met:

  • The MFA Start Date has passed.

  • There is only 7 days to the deadline for the completion of MFA setup.

  • The employee:

    • Is Self-Service enabled.

    • Has a work email address in PayGlobal.

    • Has not yet completed MFA setup.

    • Has not already received a reminder email.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close